Fedora Account System
Red Hat Associate
Red Hat Customer
A double-free vulnerability exists in the libarchive RAR5 reader subsystem within archive_read_support_format_rar5.c where the state tracking pointer rar->cstate.filtered_buf can be linked to a temporary filter output block during archive decompression. When the unpacking engine subsequently processes an adjacent file or resets its internal state layout via init_unpack(), it releases the allocation mapped to filtered_buf but fails to clear or nullify the underlying pointer variable. A specially crafted RAR5 archive can exploit this lingering dangling pointer by forcing a secondary release operation on the exact same memory address, triggering a standard memory-manager abort that immediately crashes the application and results in a Denial of Service (DoS).